CSCur00930 - CUCM evaluation for CVE-2014-6271, 2014-7169, 2014-6277 and 2014-6278 - 5
I'm not finding any information for ELM. Does the same COP file fix the BASH vulnerability in ELM. Is ELM vulnerable?
The concern with the bash shell is that services MAY be setup to run as
users which use those shells, and therefore be able to have things
injected into those shells. Nothing on NetWare uses bash by default,
because NetWare is not anything like Linux/Unix in its use of shells.
Sure, you can load bash for fun and profit on NetWare, but unless you
explicitly request it the bash.nlm file is never used. On NetWare I do
not think it is even possible to have any normal non-Bash environment
variable somehow be exported/inherited into a bash shell, though I've
never tried.
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
Similar Messages
-
CSCur05017 - N5K/N6K evaluation for CVE-2014-6271 and CVE-2014-7169 - 4
What about if we run an older version not listed in "Known Affected Releases"? We currently have 2 Nexus switches with engine 5.0(3)N2(1).
Thanks for any input on that.There is one posted under "CER Upgrade Patch" , at least for 10. The bug report is not clear on that at all.
Turns into: bash-3.2-33.el5_11.4
after installing the patch. -
CSCur05434 - Emergency Responder evaluation for CVE-2014-6271 and CVE-2014-7169
So, is there going to be a COP file fix released for Emergency Responder or are we expected to know how to download and install the fixed version of Bash from Red Hat as the solution? For Call Manager, Unity and UCCX, there were COP files released...if this is not going to be the solution for ER, it would be nice if the bug report were clearer on the matter.
There is one posted under "CER Upgrade Patch" , at least for 10. The bug report is not clear on that at all.
Turns into: bash-3.2-33.el5_11.4
after installing the patch. -
CSCur02861 - UCCX evaluation for CVE-2014-6271, 2014-7169, 2014-6277 and 2014-6278 - 2
The status of this bug is listed as fixed, however there is no version listed under the known fixed releases.
Would anyone know how this is possible?There is one posted under "CER Upgrade Patch" , at least for 10. The bug report is not clear on that at all.
Turns into: bash-3.2-33.el5_11.4
after installing the patch. -
Telepresence endpoint evaluation for CVE-2014-6271 and CVE-2014-7169 aka "Shellshock"
Please refer to the Cisco Security Advisory for more information.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
BUG ID: CSCur02591
/MagnusHi Magnus,
Is blocking the management ports (HTTP/HTTPS/SSH/Telnet/basically everything under port 1024) sufficient to mitigate this issue for TelePresence systems?
Or is the issue also present on the SIP and H.323 ports? -
Sourcefire rule for CVE 2014-1692
Hi,
Please mention me the Sourcefire rule number for CVE 2014-1692.
Best Regards,
Jackson KuHi,
Thanks for your reply. Do you mean no Sourcefire rule for CVE 2014-1692 currently, and we should raise a TAC case to request?
Best Regards,
Jackson -
Is patch available for CVE-2014-3566?
Is patch available for CVE-2014-3566?
Update your OS X to the latest version plus any security updates.
Pete -
Hello Apple, where is the patch for CVE-2014-6271?
Any timeframe?
I have not seen any information posted online.
ThanksYou are referring to the bash bug?
BASH Bug?
It will be the same as all other security bugs Apple fixes - silence until they release a fix, I linked to a post that replaces bash with a newer version from homebrew. Use that if you have systems exposed by this flaw, I suspect it will be in the malware & exploit toolkits by now. -
BUG #CSCur27131 - Evaluation of CVE-2014-3566 on Cisco Email Security Appliance
I have raised a support case with TAC to try and get more information on the preferred config as well as what Ciphers then become available. Points raised in the support case are as follows:
Current config based from existing artilce pre-POODLE > MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
Should the new config be > MEDIUM:HIGH:-SSLv2:-SSLv3:-aNULL:@STRENGTH
Use of strength meaning that the Ciphers are ordered and presented strongest to weakest as negotiation should occur at the first mutually accepted cipher.
What are the TLSv1 Ciphers used by Ironport (verify under sslconfig CLI appears only to list SSL ciphers)
Finally, does the Ironport support or plan to support in the future TLSv1.1 and TLSv1.2 ciphers?
Response from TAC so far is the same as the referenced article - https://tools.cisco.com/bugsearch/bug/CSCur27131 which doesn't address all my points
PaulNegating SSLv2 and SSLv3 in the cipher suite has no effect as long as only enabled TLSv1 is enabled.
And reordering ciphers by strength won't bring anything since the client's ciphers order will always be preferred.
Also, MD5 should be disabled as it's widely considered too weak for the job.
My recommendation would be to use the following suite > HIGH:MEDIUM:!aNULL:!MD5 -
NX-OS ( n7000-s1-dk9.5.1.3.bin ) BASH VULNERABILITY - CVE-2014-6271 and CVE-2014-7169
Hi ,
Nexus 7000 evaluation for CVE-2014-6271 and CVE-2014-7169 , I am referring below link to check for NX OS - n7000-s1-dk9.5.1.3.bin
https://tools.cisco.com/bugsearch/bug/CSCur04856
5.1.3 is not mentioned in the affected list.Need help to know if 5.1 is affected with BASH Vulnerability .
Thanks for help in advance .The concern with the bash shell is that services MAY be setup to run as
users which use those shells, and therefore be able to have things
injected into those shells. Nothing on NetWare uses bash by default,
because NetWare is not anything like Linux/Unix in its use of shells.
Sure, you can load bash for fun and profit on NetWare, but unless you
explicitly request it the bash.nlm file is never used. On NetWare I do
not think it is even possible to have any normal non-Bash environment
variable somehow be exported/inherited into a bash shell, though I've
never tried.
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below... -
Impact of CVE-2014-6271 and CVE-2014-7169 (Shellshock) on NetWare6.5 SP8
Greetings, all...
I see that Novell has a handy security note out regarding CVE-2014-6271:
http://support.novell.com/security/c...2014-6271.html
as it pertains to SUSE and SLE, as well as one for CVE-2014-7169:
http://support.novell.com/security/c...2014-7169.html
Testing in a bash shell on one of my NetWare boxes, I've been pleasantly
surprised, though remain unconvinced that the older bash port is entirely
free of vulnerability, here.
Yes, I do have a couple SSL sites running on NetWare Apache (2.2.27), though
I don't believe that anyone is using mod_cgi or mod_cgid.
(BTW, if anyone needs patched versions of bash 3.0.27 for CentOS 4.8, I have
32 and 64-bit binary rpms on my FTP server:
ftp.2rosenthals.com/pub/CentOS/4.8 .)
Just curious as to what the consensus is regarding NetWare with this thing.
TIA
Lewis
Lewis G Rosenthal, CNA, CLP, CLE, CWTS
Rosenthal & Rosenthal, LLC www.2rosenthals.com
Need a managed Wi-Fi hotspot? www.hautspot.com
visit my IT blog www.2rosenthals.net/wordpressThe concern with the bash shell is that services MAY be setup to run as
users which use those shells, and therefore be able to have things
injected into those shells. Nothing on NetWare uses bash by default,
because NetWare is not anything like Linux/Unix in its use of shells.
Sure, you can load bash for fun and profit on NetWare, but unless you
explicitly request it the bash.nlm file is never used. On NetWare I do
not think it is even possible to have any normal non-Bash environment
variable somehow be exported/inherited into a bash shell, though I've
never tried.
Good luck.
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below... -
Hello,
I was checking to see if there is a hotfix for CS5 regarding this vulnerability: CVE-2014-0513
I have searched however it seems to only be for CS6 so wondering if CVE-2014-0513 even applies to CS5?
Please advise.
Thanks
ReggieHi Jacob,
Is there a post or something that lists it? I went to the link you posted but I didn't see a mention of CS5 for CVE-2014-0513
The only thing I saw was for CS6
CVE-2014-0513 : Stack-based buffer overflow in Adobe Illustrator CS6 before 16.0.5 and 16.2.x before 16.2.2 allows remot… -
Regarding CVE-2014-0510, the CVE only references 12.0.0.77; however, none of the updates since address this CVE. Is this vulnerability still outstanding in current versions?
Hi,
As far as I know, ir41_32.ax 4.51.16.3 for Intel Indeo Video 4.5 allows remote attackers to cause a denial of service (crash) via a crafted .avi file.
If you are not using the above version of Intel Indeo Video, then systems are not affected.
In addition, it is recommended to keep Windows machines fully patched.
More information for you:
Vulnerability Summary for CVE-2014-3735
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3735
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected] -
Security investigate regarding CVE-2014-3735
Hi,
We are working on one of issue reported by one of Security Scan tool, which says that our windows server machine
is vulnerable in some versions of Intel Indeo Video that could lead to a denial of service attack.
The flaw lies in ir41_32.ax and can be exploit by a remote attacker and could result in a denial of service
condition.After further investigation we got to know its effected version '4.51.16.3'.
But as we are using Windows Server 2008 R2 I am not sure this can be exploited or not, because as per
https://technet.microsoft.com/library/security/954157
the problem does NOT exist on Windows Server 2008.Hi,
As far as I know, ir41_32.ax 4.51.16.3 for Intel Indeo Video 4.5 allows remote attackers to cause a denial of service (crash) via a crafted .avi file.
If you are not using the above version of Intel Indeo Video, then systems are not affected.
In addition, it is recommended to keep Windows machines fully patched.
More information for you:
Vulnerability Summary for CVE-2014-3735
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3735
Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected] -
Are you aware about bash security issue CVE-2014-6271 ? Do you have a patch for that? The problem may exist in all Solaris versions.
The official communication is now posted to
https://blogs.oracle.com/security/entry/security_alert_cve_2014_7169
Maybe you are looking for
-
Who will do qaulity inspaction for Materials while doing MIRO
Hello exports who will do final qaulity inspaction before removing the "R" flag in MRBR T.code ( Whether FI and MM people ) can you please tell me alonge with Tcodes Thanking You Sudharshana vamsi
-
2 Playbooks tethered to the same SmartPhone
Question: Planning on getting a playbook for my wife and I but since we both have corp. phones that block tethering we are going to have to get a personal smartphone for tethering purpose. For the most part WiFi is fine for me but I on occation I ma
-
Please help!
-
After clicking on tools,...it never shows me "create PDF"
After I open Adobe Reader,...click on tools,...it does NOT give me create PDF
-
I'm trying to view videos on websites that apparently require Flash Player 10, which is of course incompatible with my iBook G4 running on OS X 10.3.9 . However, I've been trying to at least install Flash Player 9 on my computer but it doesn't seem t